44e3419466cd67d0c32e70f795bb6bd10a98e41ce843313014d9d5168b8cfad9

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
03/07/2024, 09:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

44e3419466cd67d0c32e70f795bb6bd10a98e41ce843313014d9d5168b8cfad9.exe
Size

4.1MB
MD5

093801dc2cdc097ea4478090e197fcc0
SHA1

db3a1283e1f7b0f8e7c748bd035cf5f81be459ad
SHA256

44e3419466cd67d0c32e70f795bb6bd10a98e41ce843313014d9d5168b8cfad9
SHA512

686afe64da35c1415dc4ce5586da726aeaeee6cf31c46d6a3160a11e67d63b959fb626d8d3de77f2f5efb4044a6bab132c7d86c239900866100b109badbdc10e
SSDEEP

98304:+R0pI/IQlUoMPdmpSp84ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdm75n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2216	devbodloc.exe

Loads dropped DLL 1 IoCs

pid	Process
1656	44e3419466cd67d0c32e70f795bb6bd10a98e41ce843313014d9d5168b8cfad9.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv82\\devbodloc.exe"	44e3419466cd67d0c32e70f795bb6bd10a98e41ce843313014d9d5168b8cfad9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZGN\\optiaec.exe"	44e3419466cd67d0c32e70f795bb6bd10a98e41ce843313014d9d5168b8cfad9.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1656	44e3419466cd67d0c32e70f795bb6bd10a98e41ce843313014d9d5168b8cfad9.exe
1656	44e3419466cd67d0c32e70f795bb6bd10a98e41ce843313014d9d5168b8cfad9.exe
2216	devbodloc.exe
1656	44e3419466cd67d0c32e70f795bb6bd10a98e41ce843313014d9d5168b8cfad9.exe
2216	devbodloc.exe
1656	44e3419466cd67d0c32e70f795bb6bd10a98e41ce843313014d9d5168b8cfad9.exe
2216	devbodloc.exe
1656	44e3419466cd67d0c32e70f795bb6bd10a98e41ce843313014d9d5168b8cfad9.exe
2216	devbodloc.exe
1656	44e3419466cd67d0c32e70f795bb6bd10a98e41ce843313014d9d5168b8cfad9.exe
2216	devbodloc.exe
1656	44e3419466cd67d0c32e70f795bb6bd10a98e41ce843313014d9d5168b8cfad9.exe
2216	devbodloc.exe
1656	44e3419466cd67d0c32e70f795bb6bd10a98e41ce843313014d9d5168b8cfad9.exe
2216	devbodloc.exe
1656	44e3419466cd67d0c32e70f795bb6bd10a98e41ce843313014d9d5168b8cfad9.exe
2216	devbodloc.exe
1656	44e3419466cd67d0c32e70f795bb6bd10a98e41ce843313014d9d5168b8cfad9.exe
2216	devbodloc.exe
1656	44e3419466cd67d0c32e70f795bb6bd10a98e41ce843313014d9d5168b8cfad9.exe
2216	devbodloc.exe
1656	44e3419466cd67d0c32e70f795bb6bd10a98e41ce843313014d9d5168b8cfad9.exe
2216	devbodloc.exe
1656	44e3419466cd67d0c32e70f795bb6bd10a98e41ce843313014d9d5168b8cfad9.exe
2216	devbodloc.exe
1656	44e3419466cd67d0c32e70f795bb6bd10a98e41ce843313014d9d5168b8cfad9.exe
2216	devbodloc.exe
1656	44e3419466cd67d0c32e70f795bb6bd10a98e41ce843313014d9d5168b8cfad9.exe
2216	devbodloc.exe
1656	44e3419466cd67d0c32e70f795bb6bd10a98e41ce843313014d9d5168b8cfad9.exe
2216	devbodloc.exe
1656	44e3419466cd67d0c32e70f795bb6bd10a98e41ce843313014d9d5168b8cfad9.exe
2216	devbodloc.exe
1656	44e3419466cd67d0c32e70f795bb6bd10a98e41ce843313014d9d5168b8cfad9.exe
2216	devbodloc.exe
1656	44e3419466cd67d0c32e70f795bb6bd10a98e41ce843313014d9d5168b8cfad9.exe
2216	devbodloc.exe
1656	44e3419466cd67d0c32e70f795bb6bd10a98e41ce843313014d9d5168b8cfad9.exe
2216	devbodloc.exe
1656	44e3419466cd67d0c32e70f795bb6bd10a98e41ce843313014d9d5168b8cfad9.exe
2216	devbodloc.exe
1656	44e3419466cd67d0c32e70f795bb6bd10a98e41ce843313014d9d5168b8cfad9.exe
2216	devbodloc.exe
1656	44e3419466cd67d0c32e70f795bb6bd10a98e41ce843313014d9d5168b8cfad9.exe
2216	devbodloc.exe
1656	44e3419466cd67d0c32e70f795bb6bd10a98e41ce843313014d9d5168b8cfad9.exe
2216	devbodloc.exe
1656	44e3419466cd67d0c32e70f795bb6bd10a98e41ce843313014d9d5168b8cfad9.exe
2216	devbodloc.exe
1656	44e3419466cd67d0c32e70f795bb6bd10a98e41ce843313014d9d5168b8cfad9.exe
2216	devbodloc.exe
1656	44e3419466cd67d0c32e70f795bb6bd10a98e41ce843313014d9d5168b8cfad9.exe
2216	devbodloc.exe
1656	44e3419466cd67d0c32e70f795bb6bd10a98e41ce843313014d9d5168b8cfad9.exe
2216	devbodloc.exe
1656	44e3419466cd67d0c32e70f795bb6bd10a98e41ce843313014d9d5168b8cfad9.exe
2216	devbodloc.exe
1656	44e3419466cd67d0c32e70f795bb6bd10a98e41ce843313014d9d5168b8cfad9.exe
2216	devbodloc.exe
1656	44e3419466cd67d0c32e70f795bb6bd10a98e41ce843313014d9d5168b8cfad9.exe
2216	devbodloc.exe
1656	44e3419466cd67d0c32e70f795bb6bd10a98e41ce843313014d9d5168b8cfad9.exe
2216	devbodloc.exe
1656	44e3419466cd67d0c32e70f795bb6bd10a98e41ce843313014d9d5168b8cfad9.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1656 wrote to memory of 2216	1656	44e3419466cd67d0c32e70f795bb6bd10a98e41ce843313014d9d5168b8cfad9.exe	28
PID 1656 wrote to memory of 2216	1656	44e3419466cd67d0c32e70f795bb6bd10a98e41ce843313014d9d5168b8cfad9.exe	28
PID 1656 wrote to memory of 2216	1656	44e3419466cd67d0c32e70f795bb6bd10a98e41ce843313014d9d5168b8cfad9.exe	28
PID 1656 wrote to memory of 2216	1656	44e3419466cd67d0c32e70f795bb6bd10a98e41ce843313014d9d5168b8cfad9.exe	28

C:\Users\Admin\AppData\Local\Temp\44e3419466cd67d0c32e70f795bb6bd10a98e41ce843313014d9d5168b8cfad9.exe
"C:\Users\Admin\AppData\Local\Temp\44e3419466cd67d0c32e70f795bb6bd10a98e41ce843313014d9d5168b8cfad9.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1656
- C:\SysDrv82\devbodloc.exe
  C:\SysDrv82\devbodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZGN\optiaec.exe

Filesize
4.1MB

MD5
9535b4acf334c0567d458dd83c30e2ce

SHA1
9e1dbd804f2c2c6150b9a78d6ee00d5316065d6d

SHA256
8d955de4884f96e705ed51cbec058b8e61b3b32dcbb64ea008febad2bf625f4e

SHA512
efb91e04a361d5690a5f02f1f3ea159ba11b6d68fdd29ad1973e2ae2a0013a36386111dc2e232652dde38ee67643e8b0246dff468864a380d68a17d9ebc9017c

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
51aed2f14474f7bc54f326a8efe4b1a4

SHA1
a1fa5781c6835227ecd100c54d9d5b4812632707

SHA256
894b367053db5184853952930a412f3f17440199b312941ecd3aef4cabe76f8b

SHA512
c3a7a5d1b334683439d0cd85ecd18b4fd188d3440360a8d27fe884b4790a58514be39b740531b4c01ee0838eb3eb21405903b32a76cc0980443f24ed0ee80aa6

Download Submit
\SysDrv82\devbodloc.exe

Filesize
4.1MB

MD5
4053db1059b2851f4afc7e7d5624d46e

SHA1
dbc49664d340133b329058f91a727f328de951a5

SHA256
05070cd4c90de92322c1f06f699c783700dd0c93b289f8a8921377d9fde61ac1

SHA512
92a231ba9f59cc0918aa82d056b4bd001e1329bdab974e30a09459af0846d01cb7bd05abb4d198c0ed427a14ebdefdb58bdb91dd0577944d346db7e0303d5ec1

Download Submit